CVE-2026-3402
Received Received - Intake
Cross-Site Scripting in PHPGurukul edit-course.php Remote Exploit

Publication date: 2026-03-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in PHPGurukul Student Record Management System up to 1.0. This vulnerability affects unknown code of the file /edit-course.php. Such manipulation of the argument Course Short Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3402
EUVD
EUVD-2026-9135
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul student_record_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3402 is a Stored Cross-Site Scripting (XSS) vulnerability in the PHPGurukul Student Record Management System version 1.0. It exists in the /edit-course.php endpoint, specifically in the "Course Short Name" field. The system does not properly validate or encode user input before storing it in the database and rendering it in the browser.'}, {'type': 'paragraph', 'content': 'An authenticated administrator can exploit this vulnerability by injecting malicious JavaScript code into the Course Short Name field via the add course functionality. This malicious code is stored persistently and executes whenever the course information is viewed or edited through the manage courses interface.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows execution of arbitrary JavaScript code in the context of an authenticated administrator's session."}, {'type': 'list_item', 'content': 'Potential session hijacking through theft of cookies.'}, {'type': 'list_item', 'content': 'Unauthorized actions performed on behalf of the administrator.'}, {'type': 'list_item', 'content': 'Persistent compromise affecting all users who view or edit the modified course record.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript code injected into the "Course Short Name" field in the /edit-course.php endpoint of the PHPGurukul Student Record Management System version 1.0.'}, {'type': 'paragraph', 'content': 'One method to identify vulnerable targets is using Google dorking with queries such as "inurl:edit-course.php" to find instances of the affected endpoint.'}, {'type': 'paragraph', 'content': 'To confirm exploitation, an authenticated administrator can attempt to inject a test payload like `"><script>alert(document.cookie)</script>` into the Course Short Name field via the add course functionality and then observe if the script executes when viewing or editing the course.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided, but manual testing through the web interface or automated scanning tools targeting the /edit-course.php endpoint and the Course Short Name parameter can be used.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict server-side input validation and sanitization to prevent malicious scripts from being stored.'}, {'type': 'paragraph', 'content': "Use context-aware output encoding functions such as PHP's htmlspecialchars() when rendering user input to the browser."}, {'type': 'paragraph', 'content': 'Deploy a strong Content Security Policy (CSP) to restrict the execution of unauthorized scripts.'}, {'type': 'paragraph', 'content': 'Enable HTTPOnly and Secure flags on session cookies to reduce the risk of session hijacking.'}, {'type': 'paragraph', 'content': 'Conduct secure code reviews and apply centralized input filtering to ensure consistent security practices.'}, {'type': 'paragraph', 'content': 'Perform security testing prior to deployment to detect and fix such vulnerabilities.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart